Re: [PATCH v2 0/7] pipe: buffer limits fixes and cleanups
From: Kees Cook
Date: Thu Jan 11 2018 - 15:36:24 EST
On Wed, Jan 10, 2018 at 9:28 PM, Eric Biggers <ebiggers3@xxxxxxxxx> wrote:
> This series simplifies the sysctl handler for pipe-max-size and fixes
> another set of bugs related to the pipe buffer limits:
>
> - The root user wasn't allowed to exceed the limits when creating new
> pipes.
>
> - There was an off-by-one error when checking the limits, so a limit of
> N was actually treated as N - 1.
>
> - F_SETPIPE_SZ accepted values over UINT_MAX.
>
> - Reading the pipe buffer limits could be racy.
>
> Changed since v1:
>
> - Added "Fixes" tag to "pipe: fix off-by-one error when checking buffer limits"
> - In pipe_set_size(), checked 'nr_pages' rather than 'size'
> - Fixed commit message for "pipe: simplify round_pipe_size()"
Thanks for the fixes! This looks good to me. Please consider the whole series:
Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>
-Kees
>
> Eric Biggers (7):
> pipe, sysctl: drop 'min' parameter from pipe-max-size converter
> pipe, sysctl: remove pipe_proc_fn()
> pipe: actually allow root to exceed the pipe buffer limits
> pipe: fix off-by-one error when checking buffer limits
> pipe: reject F_SETPIPE_SZ with size over UINT_MAX
> pipe: simplify round_pipe_size()
> pipe: read buffer limits atomically
>
> fs/pipe.c | 57 ++++++++++++++++++++---------------------------
> include/linux/pipe_fs_i.h | 5 ++---
> include/linux/sysctl.h | 3 ---
> kernel/sysctl.c | 33 +++++----------------------
> 4 files changed, 32 insertions(+), 66 deletions(-)
>
> --
> 2.15.1
>
--
Kees Cook
Pixel Security